ANN: A new version (0.4.3) of python-gnupg has been released. It contains a security-related change - please update to this version
Vinay Sajip
vinay_sajip at yahoo.co.uk
Wed Jun 13 14:06:51 EDT 2018
A new version of the Python module which wraps GnuPG has been released.
What Changed?=============This is a security-fix release, and all users are strongly encouraged to upgrade.This fix mitigates against CVE-2018-12020. See the discoverer's blog post [6] formore information.
Brief summary:
* Added --no-verbose to the gpg command line, in case verbose is specified in gpg.conf - we don't need verbose output.
This release [2] has been signed with my code signing key:
Vinay Sajip (CODE SIGNING KEY) <vinay_sajip at yahoo.co.uk>Fingerprint: CA74 9061 914E AC13 8E66 EADB 9147 B477 339A 9B86
Recent changes to PyPI don't show the GPG signature with the download links.An alternative download source where the signatures are available is the project'sown downloads page [5].
What Does It Do?================The gnupg module allows Python programs to make use of thefunctionality provided by the Gnu Privacy Guard (abbreviated GPG orGnuPG). Using this module, Python programs can encrypt and decryptdata, digitally sign documents and verify digital signatures, manage(generate, list and delete) encryption keys, using proven Public KeyInfrastructure (PKI) encryption technology based on OpenPGP.
This module is expected to be used with Python versions >= 2.4, as itmakes use of the subprocess module which appeared in that version ofPython. This module is a newer version derived from earlier work byAndrew Kuchling, Richard Jones and Steve Traugott.
A test suite using unittest is included with the source distribution.
Simple usage:
>>> import gnupg>>> gpg = gnupg.GPG(gnupghome='/path/to/keyring/directory')>>> gpg.list_keys()
[{...'fingerprint': 'F819EE7705497D73E3CCEE65197D5DAC68F1AAB2','keyid': '197D5DAC68F1AAB2','length': '1024','type': 'pub','uids': ['', 'Gary Gross (A test user) <gary.gr... at gamma.com>']},{...'fingerprint': '37F24DD4B918CC264D4F31D60C5FEFA7A921FC4A','keyid': '0C5FEFA7A921FC4A','length': '1024',...'uids': ['', 'Danny Davis (A test user) <danny.da... at delta.com>']}]>>> encrypted = gpg.encrypt("Hello, world!", ['0C5FEFA7A921FC4A'])>>> str(encrypted)
'-----BEGIN PGP MESSAGE-----\nVersion: GnuPG v1.4.9 (GNU/Linux)\n\nhQIOA/6NHMDTXUwcEAf.-----END PGP MESSAGE-----\n'>>> decrypted = gpg.decrypt(str(encrypted), passphrase='secret')>>> str(decrypted)
'Hello, world!'>>> signed = gpg.sign("Goodbye, world!", passphrase='secret')>>> verified = gpg.verify(str(signed))>>> print "Verified" if verified else "Not verified"
'Verified'
As always, your feedback is most welcome (especially bug reports [3],patches and suggestions for improvement, or any other points via themailing list/discussion group [4]).
Enjoy!
Cheers
Vinay SajipRed Dove Consultants Ltd.
[1] https://bitbucket.org/vinay.sajip/python-gnupg[2] https://pypi.python.org/pypi/python-gnupg/0.4.3[3] https://bitbucket.org/vinay.sajip/python-gnupg/issues[4] https://groups.google.com/forum/#!forum/python-gnupg[5] https://bitbucket.org/vinay.sajip/python-gnupg/downloads/[6] https://neopg.io/blog/gpg-signature-spoof/
More information about the Python-announce-list
mailing list